Thus far in 2025, filers have seen far fewer last-minute audit requests than in previous years, yet regulators continue to focus on and expect more in familiar hot spots. A recent informal Sarbanes-Oxley Act (SOX) compliance poll[1] of audit and finance executives and professionals highlights three major themes shaping compliance programs now:
- Aligning with regulatory expectations (no real surprises, but a higher bar on key areas)
- Streamlining and right-sizing SOX programs for efficiency
- Leveraging technology to manage growing workloads
Below is a concise overview of each trend and its implications for your SOX compliance efforts.
Responding to Regulatory Changes
Despite some relief in audit execution, regulatory scrutiny remains intense in known areas. Organizations filing in calendar year 2025 have not faced as many last-minute surprises as they have historically and have found external auditors to be reasonable and to take a slightly lighter touch overall. However, the bar continues to rise on core controls. The Public Company Accounting Oversight Board (PCAOB) and auditors continue to maintain an increased emphasis on management review controls (MRC) and information produced by the entity (IPE).
Organizations are also experiencing growing pressure to classify more controls as MRC and IPE in both process and IT control sets; add additional systems, tools, and analytics/reporting platforms into scope; and include additional granularity in third-party and SOC report reliance strategies. In other words, regulators didn’t introduce new focus areas; instead, they doubled down on existing ones, expecting even stronger documentation and broader coverage in these areas.
On the policy front, a potential shake-up in audit oversight was avoided. In June, a proposal in Congress to eliminate the PCAOB and fold its duties into the U.S. Securities and Exchange Commission (SEC) was withdrawn from a budget bill. This development means the PCAOB, for now, will remain independent and fully operational. 39% of SOX poll respondents do not expect any change and plan to maintain their current approach, while 40% expect limited additional scrutiny and increased scope and effort. Consequently, organizations are not reducing effort; instead, they are maintaining focus primarily on the timeless areas of MRC and IPE.
Under current SEC leadership, there is also a push to exempt more small public companies from Section 404(b) (auditor attestation of internal controls). The rationale is to reduce compliance burdens and encourage capital formation. We will continue to monitor any potential impact of proposed changes to SEC filing requirements and any continued push for change to the PCAOB structure.
Implementing Program Improvements
Organizations continue to streamline their SOX programs to work smarter. Many organizations are reassessing their SOX compliance programs across the board, from scope coverage to control design and testing efforts, and this trend is likely to continue into 2026.
Critically evaluating the risk assessment and scoping is top of mind for nearly 60% of SOX poll respondents, ensuring that controls that remain in scope include only the key controls required to prevent material misstatement in financial reporting.
More than 50% of poll respondents are focused on right-sizing and optimizing the control environment. Some questions posed to Protiviti by companies focused on rationalizing and streamlining their SOX program include:
- Can you provide some examples of fixed asset risk and control matrices? We have 10 controls, which we think might be too many in this area.
- We strengthened our order-to-cash process a few years ago. Can you help us challenge whether we need to retain all the controls in this space?
- Our inventory process has changed, and we are not certain that we have all the key risks covered effectively and efficiently anymore.
- With the frequency of technological change, we need to review the IT infrastructure layers and determine which in-scope applications we must test separately rather than as part of a homogeneous population.
Some of these questions may strike a chord with your team.
Organizations are also re-evaluating their testing sample sizes and rationalizing where it makes sense to do so. There may be an opportunity for your program to adjust and flex sample sizes based on an informed level of risk, including the nature of the control, the level of external audit reliance, the history of its performance, the ability to leverage continuous monitoring, granular key performance indicator tracking or self-assessment, among other factors.
That said, caution is key. Any reduction in testing must be defensible. External auditors will expect a sound rationale for changes. Right-sizing testing is “definitely happening” (especially for 404(a)-only filers and stable control environments), but a reduction in effort can be interpreted too liberally if companies aren’t careful. The takeaway: document your rationale for any adjustments (e.g., a control’s strong track record, automation in place or auditor reliance plans) and closely monitor the outcomes.
Increasing Leverage of Technology
Technology remains crucial to managing SOX compliance. Nearly 70% of SOX poll respondents have continued to refine their SOX programs by implementing automated compliance tools that streamline documentation gathering and evidence creation, allowing for a greater focus on investigating outliers. To a lesser extent, but still worth highlighting, SOX professionals are collaborating with control owners to facilitate more real-time monitoring of internal controls.
There continues to be a focus on enhancing connected assurance platforms to enable more comprehensive and real-time risk assessment. Some SOX teams are assisting with the implementation of centralized reporting systems and governance frameworks by helping management develop standardized procedures and training across the organization, allowing for a more streamlined control set to follow.
Looking ahead, external auditors have been extremely cautious about considering activities that leverage work performed by generative AI. Process owners, internal control and internal audit teams are continuing to incorporate this technology into their work, but need to be prepared to design and describe their approach to include human review of all AI-generated work product, or potentially expect substantive testing from the external auditor.
Improvement areas your peers are prioritizing (their top 3)
| Implementing additional technology and automation | 68% |
| Critically evaluating risk assessment and scoping | 57% |
| Control rationalization and optimization | 54% |
| Updating approach to testing operating effectiveness | 42% |
| Updating approach to testing design effectiveness | 31% |
| Reevaluating third-party risk and SOC reports | 17% |
| Offshoring additional work effort | 14% |
| Centralizing the internal control environment | 13% |
Tools currently leveraged by SOX programs
| Audit management or GRC platforms (e.g., Workiva, AuditBoard) | 61% |
| Data analytics and visualization tools (e.g., Power BI, Tableau, Alteryx) | 44% |
| SOD analysis or access management tools | 28% |
| Data extraction/tickmarking utilities | 27% |
| AI/ML tools (e.g., generative AI, agentic AI) | 24% |
How We Can Help
If any of these areas resonate with you, or if you have been evaluating your SOX program and would find it helpful to continue to challenge your program, we would be happy to have a conversation with you.
[1] About our poll
We conducted a brief online poll between late August and early October 2025 to understand the priorities of SOX program leaders. We provide these results as directional observations related to notable insights and trends in SOX compliance programs and activities.
